Here's something I hear quite a bit when talking about security things:

Our site isn't a target, it doesn't have anything valuable on it

This is usually the retort that comes back in defence of some pretty shady practices and in the mind of the defendant, it's a perfectly reasonable position. They don't collect any credentials, they don't have any payment info and in many cases, the site is simply a static representation of content that rarely changes. So what upside is there for an attacker?

Reputation. More specifically, a non-negative reputation because that's a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely this when it was discovered that spammers were hosting files on Equifax's website (every time we thought it couldn't get any worse...). This subheading within the piece describes precisely what the attraction is:

Spammers Crave Legitimate Domains

I'll come back to illustrating the value proposition of this a little later on but for now, I want to share a collection of examples I've been saving over the last few months. What follows are all phishing emails which made their way through Microsoft's Outlook.com filters and landed in my inbox. For example, this one suggesting that I needed to upgrade my account:

Looks legit, nice work on the "Microsof" spelling too guys! Ok, it actually looks terrible but the phishing page it then links to is pretty convincing:

It's a normal, garden variety website. Pretty rudimentary, running on WordPress and very possibly using any number of plugins which have had serious security risks in the past. It's the sort of site people think doesn't pose any upside to an attacker, yet here we are.

Another phish for Microsoft credentials which again, made it directly into my inbox was this one:

It displays many of the hallmarks of a phishing attack including establishing a sense of urgency, providing a call to action and attempting to create an air of authenticity. The text "This message is from a trusted sender" you see in the header is the name of the recipient and that same text in the body of the email is nothing more than stylised HTML.

It links through to a similarly convincing phishing page:

This page happily loaded through my ISP and through Chrome's anti-phishing protection because the site was yet to be flagged as malicious. Once I stripped off the path, here's what was on the site:

Nobody ever suspects daffodils! Chrome certainly didn't but if you try going to that site now, you'll have a very different experience. Now I doubt the Daffodil Excursion website ever had much going on for it traffic wise, but it's value proposition was that it didn't have a negative reputation!

Another Microsoft phish came through which looked particularly convincing:

And there's your phishing page which all began with that one little hop through a compromised site.

Now compare the experience in the images above - namely the fact that I could load the sites without warning - to the following experiences. For example, if I attempt to load the aforementioned daffodil site in Chrome today:

This is simply a matter of sufficient time having passed that Google has now classified the site as malicious and placed a rather unmissable warning on it.

Here's what happens if I try and hit a site that Freedome VPN recognises as malicious:

So, you see the pattern: domains with non-negative reputations are valuable - that's the attraction here and it's just as attractive whether a site is collecting valuable user credentials or posting photos of daffodils! Every site has something valuable they need to protect and that's their reputation. Let that go, and the only thing you're left with is those last 4 screen shots above.